CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-3553
Low

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, this could have allowed an authenticated user to access confidential issue details due to incorrect authorization checks.

CVE-2026-41000
Low

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. This may lead to ineffective protections against replay of UsernameToken nonces and Timestamp elements.

CVE-2026-47712
Low

Dulwich, a pure-Python implementation of Git file formats and protocols, had a vulnerability that allowed patch filenames to be derived from commit subject lines. Versions from 0.24.0 to prior to 1.2.5 did not properly sanitize these names, potentially leading to files being saved outside the specified directory.

CVE-2026-48011
Low

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack.

CVE-2026-46668
Low

SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.

CVE-2026-45380
Low

In the bit7z library prior to version 4.0.12, there was a one-byte off-by-one error in the SafeOutPathBuilder::restoreSymlink() function that allowed an attacker to craft a .7z archive. When extracted on non-Windows platforms, this created a symlink that could escape the intended output directory.

CVE-2026-0266
Low

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software allows a malicious authenticated administrator to store a JavaScript payload using the web interface.

CVE-2022-48575
Low

A person with access to a Mac may be able to bypass the Login Window. A consistency issue was addressed with improved state handling. This issue is fixed in macOS Monterey 12.4.

CVE-2026-50568
Low

Fission is a serverless framework that operates on Kubernetes and had a vulnerability in path validation prior to version 1.25.0. The SanitizeFilePath function did not properly check directory boundaries, allowing access to unsafe directories.

CVE-2026-46497
Low

Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0.

CVE-2026-49497
Low

Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF analysis.

CVE-2024-58350
Low

Ghidra before version 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers can trigger an infinite loop or denial of service during shutdown by exploiting the unsafe destruction order that causes iteration over deallocated memory.

CVE-2026-11859
Low

CVE-2026-11859 describes an HTML injection vulnerability in the 'fetch links' emails sent by Thinkst Applied Research Canarytokens, allowing for Interface Manipulation and Cross-Site Scripting (XSS) in email clients that render HTML emails.

CVE-2026-9060
Low

The Store Locator WordPress plugin before version 1.6.6 does not sanitize and escape one of its settings before storing and outputting it on the admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks.

CVE-2026-29114
Low

A vulnerability has been found in some Dahua products that allows an attacker to obtain the device’s CA root certificate. If that CA is installed and trusted on client systems, the attacker could issue fraudulent certificates trusted by those clients.

CVE-2025-59382
Low

Vulnerability CVE-2025-59382 has been fixed in a specific software version. QTS, QuTS hero, and QuTScloud are not affected.

CVE-2026-46546
Low

Frappe Learning Management System (LMS) prior to version 2.53.0 allowed authenticated users to supply specially crafted content in editable fields, which could lead to visitors' browsers being redirected to an attacker-chosen URL.

CVE-2026-41694
Low

Spring Security SAML decrypts SAML Responses and elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, allowing attackers to use the Service Provider as a decryption oracle.

CVE-2026-48289
Low

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access.

CVE-2026-48288
Low

Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to gain unauthorized write access.

PreviousPage 10 of 60Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS